Re: how to understand this SELinux stuff?

[znavko]

I think your words are most clear. Thank you, Ricardo Wurmus!

May 4, 2019 7:58 PM, "Ricardo Wurmus" <address@hidden> wrote:

>> #. type: enumerate
>> #: doc/guix.texi:1291
>> msgid "We could generate a much more restrictive policy at installation 
>> time, so that only the
>> @emph{exact} file name of the currently installed @code{guix-daemon} 
>> executable would be labelled
>> with @code{guix_daemon_exec_t}, instead of using a broad regular expression. 
>> The downside is that
>> root would have to install or upgrade the policy at installation time 
>> whenever the Guix package
>> that provides the effectively running @code{guix-daemon} executable is 
>> upgraded."
>> 
>> I cannot understand the latter sentence. What is the 'guix package that 
>> provides the effectively
>> running guix-damon'? Can I say just: if guix-daemon's executable was 
>> upgraded?
> 
> The point here is that the absolute file name of “guix-daemon” may very
> well differ over time. You may be running
> /gnu/store/abcdefg…-guix-…/bin/guix-daemon today and
> /gnu/store/xyz…-guix-…/bin/guix-daemon tomorrow. SELinux policies work
> by defining rules matching absolute file names, so if the rule were to
> attached to a *specific* item in the store it would have to be updated
> whenever the daemon would be used from a *different* location in the
> store, such as after upgrades.
> 
> --
> Ricardo